On Mon, Oct 22, 2018 at 4:17 AM Gerhard Vissie Visser <[email protected]> wrote: > > Hi. I would like to just some advice if I may. > > I get this email notification maybe twice a day. > > OSSEC HIDS Notification. > 2018 Oct 20 14:18:33 > > Received From: server->/var/log/nginx/access.log > Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)." > Src IP: 12.345.67.89 > Portion of the log(s): > > 12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade > HTTP/2.0" 500 322 "https://server.me.com/"; "Mozilla/5.0 (X11; Linux x86_64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" > > > --END OF NOTIFICATION > > The source IP is my workstation. So I know this is not a attack of sorts. > This is after I installed a specific application and setup a reverse proxy > for it (https://server.me.com) > I have also white listed my IP (12.345.67.89) > > To try and hide this message, I created a custom rule: > <rule id="31122" level="0"> > <if_sid>31120</if_sid> > <id>^500</id> > <srcip>12.345.67.89</srcip> > <description>Web server 500 error code (Internal Error).</description> > </rule> > > I can not pickup that anything is blocked, my app works like I would have > expected. The only thing is these emails that I get. Besides that I could not > have picked up any negativity. > > > I still need to see if this makes a difference. > My questions: > 1. Was this the right thing to do? > 2. Did I write the rule correctly? > 3. This rule seem to be very generic (^500). Can I somehow be more specific? > Maybe say that all 500 errors from/on app "https://server.me.com";? If so, how? > 4. Any other advice that would have resulted in a better outcome maybe? >
You can use ossec-logtest to test your rules: ix# /var/ossec/bin/ossec-logtest 2018/10/22 13:40:56 ossec-testrule: INFO: Reading local decoder file. 2018/10/22 13:40:56 ossec-testrule: INFO: Reading the lists file: 'rules/lists/ossec.block' 2018/10/22 13:40:56 ossec-testrule: INFO: Started (pid: 23931). ossec-testrule: Type one log per line. 12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" **Phase 1: Completed pre-decoding. full event: '12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"' hostname: 'ix' program_name: '(null)' log: '12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '12.345.67.89' srcuser: '-' action: 'GET' url: '/rest/system/upgrade' id: '500' **Phase 3: Completed filtering (rules). Rule id: '31122' Level: '5' Description: 'Web server 500 error code (Internal Error).' **Alert to be generated. I think you can use anything in Phase 2 to limit your rule. > As I am still new at OSSEC, advice will really be appreciated. > > > Vissie > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
